Within the field of computing, many scenarios involve a set of entities having a privilege level. As a first example, a service may be provided to a set of users, each of which has established a privilege level with the service, and the service may provide to each user a different level of service associated with the privilege level of the user (e.g., in a file-sharing service, a user with a higher privilege level may be allocated a larger amount of storage space, and/or may be granted more extensive access privileges, than a user with a lower privilege level). As a second example, a service may be provided to a set of devices (e.g., a cellular communications network configured to provide communication services to a set of wireless devices), and each device may be associated with a different privilege level (e.g., a first set of high-privilege-level devices provided to users directly by the provider of the service; a second set of privilege-trust-level devices provided to users by companies affiliated with the provider of the service; and a third set of low-privilege-level devices provided to users by unknown companies). Devices with lower privilege levels may be more likely to have been altered and/or used to access the service in unauthorized ways; therefore, higher levels of service may be provided to devices having higher privilege levels than devices having lower privilege levels.
A particular scenario wherein such techniques may be utilized involves the detection and obstruction of attempt to utilize a service in order to achieve a malicious result, such as accessing an account of another entity (e.g., accessing a bank account in order to steal funds, or accessing a web account of a webserver in order to insert advertisements), sending unsolicited bulk email messages (“spam”) or performing a distributed denial-of-service (“DDoS”) attack on a target. In order to achieve these results on a wide scale, the instigators of such attempts may utilize automated processes, such as brute-force algorithms that attempt to identify security vulnerabilities in services or to guess the identity credentials (such as user ID and password) of the accounts of various individuals. The administrators of such services may utilize various techniques to verify that an entity requesting access to the service is a human and not an automated process. As one such technique, a “captcha” mechanism may be utilized, wherein an image is generated and presented that is difficult for an automated process to interpret, but that is comparatively easy for a human to interpret (e.g., text presented in a distorted manner on a noisy background). The service may be provided to the entity only after presenting a correct identification of the content of the image.
Within these and other scenarios, many techniques may be used to identify and update the privilege level associated with a particular entity. For example, different levels of identity verification may be utilized to establish the identity of a user or device with a higher degree of confidence (e.g., requesting and verifying increasingly personal, private, sensitive, and/or extensive levels of information about the user, or inspecting the components of a device with finer granularity). For example, in order to verify the identity of the entity with a higher degree of confidence, captcha techniques may present a more lengthy or more complex captcha, or may inspect the response of the entity with a higher degree of precision. The privilege level of the entity may be established according to the confidence established in the entity, and may be used in various ways (e.g., to determine the degree of service provided to the entity).